b"Department of Homeland Security\n   Of\xef\xac\x81ce of Inspector General\n\n    Resource and Security Issues Hinder DHS' \n\n      Implementation of Homeland Security \n\n            Presidential Directive 12 \n\n\n\n\n\nOIG-10-40                              January 2010\n\x0c                                                             Office of Inspector General\n\n                                                             U.S. Department of Homeland Security\n                                                             Washington, DC 20528\n\n\n\n\n                                      January 25, 2010\n\n                                         Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General was\nestablished by the Homeland Security Act of 2002 (Public Law 107-296) by amendment\nto the Inspector General Act of 1978. This is one of a series of audit, inspection, and\nspecial reports prepared as part of our oversight responsibilities to promote economy,\nefficiency, and effectiveness within the department.\n\nThis report addresses the strengths and weaknesses of DHS\xe2\x80\x99 program and security\nmanagement of its implementation of Homeland Security Presidential Directive 12\nrequirements. It is based on interviews with selected employees, contractor personnel,\nand management officials, including the Chief Security Officer; direct observations;\nsystem security vulnerability assessments; and a review of applicable documents.\n\nThe recommendations herein have been developed to the best knowledge available to our\noffice, and have been discussed in draft with those responsible for implementation. We\ntrust this report will result in more effective, efficient, and economical operations. We\nexpress our appreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                      Richard L. Skinner \n\n                                      Inspector General \n\n\x0cTable of Contents/Abbreviations\nExecutive Summary .............................................................................................................1\n\n\nBackground ..........................................................................................................................2 \n\n\nResults of Audit ...................................................................................................................4 \n\n\n     Actions Taken to Implement DHS\xe2\x80\x99 HSPD-12 Program ................................................4 \n\n\n     Inadequate Program Management and Resources Have Led to Delays in DHS\xe2\x80\x99 \n\n     Implementation of HSPD-12 .........................................................................................6 \n\n     Recommendations........................................................................................................11 \n\n     Management Comments and OIG Analysis ................................................................12 \n\n\n     System, Account Management, and Physical Security Controls Are Not Effective ...15 \n\n     Recommendations........................................................................................................24 \n\n     Management Comments and OIG Analysis ................................................................25 \n\n\nAppendices\n     Appendix A:           Purpose, Scope, and Methodology.......................................................30 \n\n     Appendix B:           Management Comments to the Draft Report .......................................32 \n\n     Appendix C:           DHS PIV Card and Issuance Roles......................................................39 \n\n     Appendix D:           Current IDMS Architecture .................................................................40 \n\n     Appendix E:           DHS PIV Card Issuance Process .........................................................41 \n\n     Appendix F:           Major Contributors to this Report........................................................42 \n\n     Appendix G:           Report Distribution ..............................................................................43 \n\n\nAbbreviations\n     ACO                 Access Control Office \n\n     ATO                 Authority to Operate           \n\n     C&A                 certification and accreditation     \n\n     CA                  Certificate Authority            \n\n     CBP                 Customs and Border Protection \n\n     DHS                 Department of Homeland Security \n\n     EIWS                enrollment and issuance workstations\n\n     FEMA                Federal Emergency Management Agency \n\n     FIPS                Federal Information Processing Standards \n\n     FISMA               Federal Information Security Management Act \n\n     FLETC               Federal Law Enforcement Training Center \n\n     FTE                 full-time equivalent          \n\n     FY                  Fiscal Year           \n\n     GFE                 government furnished equipment \n\n     GSA                 General Services Administration \n\n     HSPD-12             Homeland Security Presidential Directive 12 \n\n\x0cICE       Immigration and Customs Enforcement\nICISS     Identification and Credential Issuing Station and System\nIDMS      Identity Management System\nISSO      Information Systems Security Officer\nIT        information technology\nITSO      Information Technology Services Office\nNAC       Nebraska Avenue Complex\nNIST SP   National Institute of Standards and Technology Special Publication\nNPPD      National Protection and Programs Directorate\nOCIO      Office of Chief Information Officer\nOCSO      Office of the Chief Security Officer\nOMB       Office of Management and Budget\nPACS      Physical Access Control System\nPII       personally identifiable information\nPIN       personal identification number\nPIV       Personal Identity Verification\nPKI       Public Key Interface\nPMO       Program Management Office\nSBCG      Secure Baseline Configuration Guide\nSELinux   Security Enhanced Linux\nSSO       Special Security Officer\nSU        super user\nTAF       Trusted Agent FISMA\nTS/SCI    Top Secret/Sensitive Compartmented Information\nTSA       Transportation Security Administration\nUSCIS     United States Citizenship and Immigration Services\n\x0cOIG\n\nDepartment of Homeland Security\nOffice of Inspector General\n\nExecutive Summary\n           Homeland Security Presidential Directive 12 (HSPD-12), Policy for a\n           Common Identification Standard for Federal Employees and Contractors,\n           requires the development and agency implementation of a mandatory,\n           government-wide standard for secure and reliable forms of identification\n           for federal employees and contractors. All federal departments and\n           agencies are to implement an HSPD-12 program to meet the standard\n           established by the policy, which aims to enhance security, increase\n           government efficiency, reduce identity fraud, and protect personal privacy.\n\n           An accurate determination of identity is essential to make sound decisions\n           when granting an individual access to security-sensitive government\n           buildings and other facilities, computer systems, or data. Successful\n           implementation of the directive\xe2\x80\x99s requirements will strengthen access\n           controls, increase the security of federal facilities and information\n           systems, and reduce the potential for terrorist attacks.\n\n           Although DHS has established an identification credentialing and issuance\n           process, the department has not made the implementation of an effective\n           HSPD-12 program a priority. The original completion date for the\n           issuance and use of identity credentials by all federal employees and\n           contractors was October 27, 2008. As of September 22, 2009, only\n           15,567, of the approximately 250,000 department employees and\n           contractors, had been issued identity credentials.\n\n           Due to weak program management, including insufficient funding and\n           resources, and a change in its implementation strategy, the department is\n           well behind the deadline for fully implementing an effective HSPD-12\n           program. In addition, the department faces significant challenges in\n           meeting HSPD-12 directive requirements for logical access to its\n           information systems. Furthermore, system security and account\n           management controls are not effective in protecting personally identifiable\n           information collected and stored from unauthorized access. Existing\n           security issues must be addressed to allow for the deployment of a robust,\n           efficient, and secure interoperable identity card and issuance system\n           department-wide.\n\n           We are making 15 recommendations to DHS\xe2\x80\x99 Chief Security Officer, in\n           conjunction with the Chief Information Officer. DHS management\n\n            Resource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                                          Page 1\n\n\x0c        concurred with the recommendations and has already begun to take the\n        actions to implement them. The resolved recommendations will remain\n        open until DHS provides documentation to support that the\n        implementation of all planned corrective actions is complete. DHS\xe2\x80\x99\n        response is summarized and evaluated in the body of this report and\n        included, in its entirety, as Appendix B\n\nBackground\n        Traditionally, a wide range of mechanisms has been employed to\n        authenticate an individual\xe2\x80\x99s identity, using various classes of credentials\n        for both physical access to buildings and authorization to access\n        computers and data. HSPD-12 established the policy for a common\n        standard for identification credentials issued by government departments\n        and agencies to its employees and contractors. These credentials are to be\n        used for gaining physical access to federally controlled facilities and\n        logical access to federally controlled information systems.\n\n        The Department of Commerce was tasked with developing the standard\n        that specifies the architecture and technical requirements for a common\n        identification standard for federal employees and contractors. The\n        government-wide standard for secure and reliable forms of identification\n        credentials is defined in the Department of Commerce\xe2\x80\x99 Federal\n        Information Processing Standards (FIPS) publication 201-1, Personal\n        Identity Verification (PIV) of Federal Employees and Contractors. Figure\n        1 illustrates the minimum mandatory components and roles required to\n        support PIV control objectives and requirements according to FIPS 201-1.\n\n        To support the implementation of HSPD-12, the Office of Management\n        and Budget (OMB) issued Memorandum 05-24 (M-05-24),\n        Implementation of Homeland Security Presidential Directive (HSPD) 12 -\n        Policy for a Common Identification Standard for Federal Employees and\n        Contractors. This memorandum outlined the instructions and guidance, as\n        well as deadlines, for federal departments and agencies to follow when\n        implementing HSPD-12. According to the OMB memorandum, agencies\n        were required to complete the background investigations on all current\n        employees and contractors and to issue identity credentials according to\n        the following schedule:\n\n        \xe2\x80\xa2\t October 27, 2007 - Agencies were to complete background checks and\n           issue credentials to all employees and contractors with 15 or fewer\n           years of service.\n        \xe2\x80\xa2\t October 27, 2008 - Agencies were to complete background checks and\n           issue credentials to all employees with more than 15 years of service.\n\n\n\n         Resource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                                       Page 2\n\n\x0c                Additionally, departments and agencies were to identify federally\n                controlled facilities, information systems, and other federal applications\n                that were important for security.\n\n                Figure 1: PIV Identity Verification and Issuance\n\n\n\n\n                In October 2007, we reported that the department was experiencing delays\n                in developing a technical solution capable of issuing PIV cards to its\n                employees and contractors.1 Subsequently, OMB granted DHS an\n                extension, until December 2010, to issue PIV cards to its workforce.\n\n                We also reported that DHS had neither assessed the total cost to\n                implement HSPD-12 department-wide nor identified the extent to which\n                PIV cards would be used or required to access facilities and information\n                systems. In addition, component implementation guidance needed to be\n                updated, PIV card issuance statistics were not being posted to DHS\xe2\x80\x99 public\n                website, and the department had not yet identified a technical solution to\n                issue PIV cards to its employees and contractors.\n\n                Our recommendations targeted the identification of resources to carry out\n                DHS\xe2\x80\x99 implementation plan, development of a department-wide cost\n\n1\n Progress Has Been Made But More Work Remains in Meeting Homeland Security Presidential\nDirective 12 Requirements (OIG-08-01), October 2007.\n                 Resource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                                               Page 3\n\n\x0c                 estimate, a decision on facility access points and information systems\n                 requiring the use of PIV cards, revisions to component guidance,\n                 certification and accreditation of the information systems used to\n                 implement HSPD-12 and FIPS 201-1, and the posting of PIV card\n                 statistics on the department\xe2\x80\x99s website. Our current audit was conducted to\n                 follow up on our prior audit recommendations and assess DHS\xe2\x80\x99 progress\n                 in meeting HSPD-12 implementation requirements.\n\nResults of Audit\n        Actions Taken to Implement DHS\xe2\x80\x99 HSPD-12 Program\n                 DHS\xe2\x80\x99 Office of Security is responsible for the department\xe2\x80\x99s HSPD-12\n                 program, with technical support from the Office of the Chief Information\n                 Officer (OCIO). DHS is implementing HSPD-12 by issuing biometric\n                 smartcards, known as DHS PIV cards. DHS PIV cards will be issued to\n                 all DHS employees and contractors, an estimated 250,000 individuals.2\n                 DHS began issuing these cards to Headquarters employees and contractors\n                 in June 2008.3 DHS uses two systems to support its PIV card issuance\n                 process and use. These systems are the Identity Management System\n                 (IDMS) and the Headquarters Physical Access Control System (PACS).4\n                 To support HSPD-12 and FIPS 201-1 requirements, the department has:\n\n                 \xe2\x80\xa2\t   Worked with stakeholders in the DHS components, through an\n                      HSPD-12 Council and working groups, to develop a coordinated\n                      departmental approach to implementation.\n\n                 \xe2\x80\xa2\t   Awarded a blanket purchase agreement for the component purchase of\n                      DHS PIV related technology, such as card enrollment and issuance\n                      workstations (EIWS).\n\n                 \xe2\x80\xa2\t   Conducted a pilot to test the use of PIV cards for logical access within\n                      the National Protection and Programs Directorate (NPPD). NPPD\n                      employees and contractors are continuing to use PIV cards to access\n                      DHS\xe2\x80\x99 information systems.\n\n\n\n\n2\n  The United States Coast Guard is exempt and will continue to use the Department of Defense Common\nAccess Card, except for those personnel who routinely access DHS-controlled facilities that have migrated\nto DHS PIV cards.\n3\n  DHS Headquarters consists of the Offices of the Chief Financial Officer, Chief Privacy Officer, Domestic\nNuclear Detection, Federal Law Enforcement Training Center (FLETC), General Counsel, Inspector\nGeneral, Intelligence and Analysis, and Policy.\n4\n  An electronic interface to connect IDMS and Headquarters PACS has not been developed or installed.\n                   Resource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                                                  Page 4\n\n\x0c                 \xe2\x80\xa2\t   Achieved PIV Card Issuer accreditation for Headquarters from the\n                      General Services Administration (GSA). Through this accreditation,\n                      GSA approved the configuration of DHS\xe2\x80\x99 PIV card.5\n\n                 \xe2\x80\xa2\t   Established the Identity Management Division within the Office of\n                      Security in June 2009. The Program Management Office (PMO),\n                      introduced in March 2006, became part of the Identity Management\n                      Division.\n\n                 \xe2\x80\xa2\t   Deployed card EIWS at Customs and Border Protection (CBP),\n                      Federal Emergency Management Agency (FEMA), FLETC,\n                      Headquarters, Immigration and Customs Enforcement (ICE),\n                      Transportation Security Administration (TSA), and United States\n                      Customs and Immigration (USCIS) during Fiscal Year (FY) 2009.\n                      The number of cards produced and issued to component personnel, as\n                      of September 22, 2009, is shown in Figure 2.\n\n                 Figure 2: DHS PIV Cards Issued by Component\n\n                            Component                      Cards Issued\n                        CBP                                       9\n                        FEMA                                   3,113\n                        FLETC                                    35\n                        DHS Headquarters                      11,875\n                        ICE                                       8\n                        TSA                                       5\n                        USCIS                                   522\n                        Total                                15,5676\n\n                 Despite the progress made, DHS still faces further delays and significant\n                 program and system management challenges in implementing an effective\n                 HSPD-12 program. For example, according to program management,\n                 DHS will not be able to meet the December 2010 extension OMB granted\n                 to complete issuing PIV cards to its employees and contractors. DHS\xe2\x80\x99\n                 milestone for completion of PIV card issuance to employees and\n                 contractors is now September 30, 2011, a date that is almost three years\n                 after the mandated October 27, 2008, deadline established by OMB.\n\n\n\n5\n  Based on OMB M-07-06, Validating and Monitoring Agency Issuance of Personal Identity Verification\nCredentials, agencies were required to submit the configuration of their standard credential to GSA for\ntesting and approval.\n6\n  Not all of the cards issued have been \xe2\x80\x9cactivated\xe2\x80\x9d in IDMS and PACS. Of the 15,567 cards issued, 12,892\nhad been activated. The numbers include cards and cards that have been revoked and test cards.\n                  Resource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                                                 Page 5\n\n\x0c     DHS does not have a plan to successfully implement a robust program to\n     increase physical and logical access security within the department. The\n     absence of an HSPD-12 program implementation plan, department-wide\n     deployment strategy, and sufficient resources are hindering progress.\n     Components currently have their own individual physical access control\n     systems, which will need to be consolidated into DHS\xe2\x80\x99 Headquarters\n     PACS some time in the future. More work remains to ensure that existing\n     infrastructures are consolidated to support DHS\xe2\x80\x99 HSPD-12 program. In\n     addition, an interface between the card issuance system, IDMS, and PACS\n     is needed. Necessary facility upgrades need to be completed at component\n     locations to ensure PIV cards are interoperable with DHS\xe2\x80\x99 physical and\n     logical access control systems.\n\nInadequate Program Management and Resources Have Led to\nDelays in DHS\xe2\x80\x99 Implementation of HSPD-12\n     Implementation of a fully functional identity management system is a\n     significant effort requiring the coordination of various staff and resources.\n     Implementing a fully functional smartcard infrastructure requires more\n     than printing and issuing cards. Buy-in and active participation of\n     leadership is essential to the success of a credentialing program.\n\n     A program management approach is to be established for all projects\n     commensurate with the size, complexity, and project requirements.\n     Sponsors of such programs should have sufficient authority to own the\n     execution of a project within the overall strategic program. Smartcard\n     implementation is a complex program management task. According to the\n     Federal Identity Management Handbook, HSPD-12 requires program\n     managers to procure and implement smartcard technology. Each agency\n     is expected to allocate funding and resources to support the\n     implementation of HSPD-12.\n\n     In June 2009, the department changed its strategy on how DHS PIV cards\n     would be issued, from a component-by-component based implementation\n     to a centrally managed regional strategy. Since this change in the\n     department\xe2\x80\x99s implementation strategy, the PMO has not received adequate\n     staffing or funding, developed a viable implementation and regional\n     deployment plan, estimated the department-wide cost for implementing\n     HSPD-12, or identified performance measures to properly track\n     implementation progress. As a result, the department\xe2\x80\x99s full\n     implementation of HSPD-12 has been effectively delayed until\n     September 30, 2011.\n\n\n\n\n      Resource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                                    Page 6\n\n\x0c       DHS\xe2\x80\x99 PMO Was Not Adequately Staffed or Funded\n\n       DHS\xe2\x80\x99 PMO is responsible for implementing HSPD-12.\n       Department leadership, however, did not provide adequate support,\n       funding, or resources for the PMO to effectively manage and\n       oversee DHS\xe2\x80\x99 implementation its HSPD-12 program. As a result,\n       DHS is well behind schedule.\n\n       The PMO, established in March 2006, was initially staffed on an ad-\n       hoc basis, and Security Office funding was often diverted to higher\n       priority programs, such as security background investigations. Prior\n       to October 2009, the PMO was not authorized any full-time\n       equivalent (FTE) employees or funding for contractor staff. In its\n       FY 2010 budget request, the Office of Security asked the\n       department for funding for PMO staffing, but no FTE employees\n       were authorized. The Office of Security authorized six FTE\n       employees for the PMO in FY 2010. Five employees are currently\n       onboard, and the PMO is in the process of converting one contactor\n       employee to an FTE.\n\n       According to DHS management officials, the department-wide\n       implementation of HSPD-12 has not been a priority. Therefore,\n       DHS has not yet implemented a robust, efficient, and interoperable\n       identity credentialing program to increase both physical and logical\n       information security.\n\n       A Regional Program Implementation and Deployment Plan\n       Has Not Been Developed\n\n       The PMO has not developed an implementation and deployment\n       plan based on the centrally managed regional implementation\n       strategy that DHS has employed to address HSPD-12\n       requirements. Though the PMO has begun to develop a new\n       program implementation plan, it is unknown when the plan will be\n       ready. Also, as we reported in 2007, DHS has not yet identified to\n       what extent PIV cards will be used or required to access specific\n       facilities or information systems throughout the department.\n\n       DHS\xe2\x80\x99 HSPD-12 program implementation plan should define the\n       scope of work and the roles and responsibilities of key personnel.\n       The plan should also identify facilities and information systems\n       that will be affected and outline the card functions DHS will\n       enable to authorize access to resources. In addition, the plan\n       should include milestones for critical tasks associated with the\n       issuance of PIV cards, such as the deployment of the new regional\n       enrollment centers Furthermore, the plan should specify locations,\n\nResource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                              Page 7\n\n\x0c       estimate the numbers of staff to be processed through each facility,\n       and identify when each location will receive card EIWS.\n\n       OMB M-05-24 requires agencies to develop an implementation\n       plan, which must be submitted to OMB for review and approval.\n       As we reported in October 2007, the Office of Security originally\n       submitted an implementation plan to OMB. The implementation\n       plan developed was based on component-by-component based\n       milestones for the department\xe2\x80\x99s compliance with HSPD-12\n       requirements to meet the December 2010 deadline approved by\n       OMB. However, the original plan became obsolete when the\n       department changed its HSPD-12 program implementation strategy\n       in June 2009. Further, without an implementation or deployment\n       plan, the PMO determined that the department will be unable to\n       meet OMB\xe2\x80\x99s extended December 2010 date. The new deadline\n       date established by the PMO is September 30, 2011, but OMB has\n       not approved this date.\n\n       DHS Has Not Developed a Department-Wide Cost Estimate\n\n       In our October 2007 report, we recommended that DHS develop a\n       department-wide cost estimate to ensure that sufficient resources\n       were allotted to implement HSPD-12. Although DHS concurred\n       with this recommendation, it has not developed a department-wide\n       cost estimate that includes all costs related to its HSPD-12\n       implementation.\n\n       Federal agencies and components were to fund HSPD-12\n       implementation from existing resources. Because component level\n       resources were limited, DHS changed its strategy, in part, to better\n       oversee and manage the components\xe2\x80\x99 implementation of HSPD-12.\n       Additionally, the change to a regional HSPD-12 implementation\n       strategy was expected to cost the department less to implement\n       than the original plan.\n\n       The ability to meet the milestones for card issuance depends on the\n       availability of funding and resources to meet the initial anticipated\n       needs. Existing funding and resource issues related to the\n       department\xe2\x80\x99s implementation of HSPD-12 have contributed to\n       significant delays in meeting milestone dates for card issuance and\n       full implementation of its HSPD-12 program.\n\n       The PMO established the following milestones for initial card\n       issuance for the estimated 250,000 DHS employees and\n       contractors:\n\n\nResource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                              Page 8\n\n\x0c                          \xe2\x80\xa2\t FY 2009 \xe2\x80\x93 Complete issuance to 10,000 federal employees and\n                             contractors.7\n                          \xe2\x80\xa2\t FY 2010 \xe2\x80\x93 Complete issuance to 135,000 federal employees\n                             and contractors.\n                          \xe2\x80\xa2\t FY 2011 \xe2\x80\x93 Complete issuance to 105,000 federal employees\n                             and contractors.\n\n                          The current $25 million budget for FY 2010 is based on the costs\n                          associated with issuing 135,000 PIV cards. The costs are broken\n                          down in detail as follows:\n\n                          \xe2\x80\xa2\t Initial Issuance and Support: Card issuance workstation\n                             leasing, installation, and maintenance (for 192 workstations),\n                             surge labor support (consisting of 60 contractors), PMO\n                             support, training, software leasing and license fees (for up to\n                             200 locations), and development of three interfaces to connect\n                             vetted databases.\n                          \xe2\x80\xa2\t Issuance Consumables: PIV card stock, badge holders,\n                             lanyards, and printer consumables.\n                          \xe2\x80\xa2\t Annual Enterprise Back-End System Costs Required to\n                             Support Technical Solution: Maintenance of IDMS and\n                             interface to Certificate Authority (CA), IDMS license fee and\n                             server hosting, Treasury CA and maintenance fee, Public Key\n                             Interface (PKI) support (consisting of four contractors), PKI\n                             certificates and maintenance (for 250,000 identities), Virtual\n                             Private Network support, maintenance of Headquarters and\n                             component interfaces (currently five interfaces), and logical\n                             access enterprise middleware.\n\n                          The same cost breakdown based on the initial issuance of the\n                          remaining 105,000 cards was used in developing the FY 2011\n                          budget estimate.\n\n                          The PMO determined that it cost $177 per PIV card issued in\n                          FY 2009.8 Working under the assumption that the cost per card\n                          issued would remain the same, the projected cost for card issuance\n                          in FY 2010 would be approximately $24 million ($177 \xc3\x97 135,000\n                          cards). With a budget of $25 million, little funding would remain\n                          to cover other costs not considered part of card issuance in the\n                          FY 2010 budget. For example, the cost of establishing PIV card\n                          enrollment centers at DHS\xe2\x80\x99 component locations are not covered in\n                          the card costs. Enrollment centers will be needed in FY 2010 to\n                          issue PIV cards. The FY 2010 budget also does not cover the costs\n7\n DHS surpassed this goal; a total of 15,652 cards were issued in FY 2009. \n\n8\n The cost per card is based on the issuance of 15,652 PIV cards in FY 2009 (October 1, 2008, through \n\nSeptember 30, 2009).\n\n                   Resource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                                                 Page 9\n\n\x0c       associated with the installation of card readers at component\n       facilities, development of an interface to connect IDMS and\n       Headquarters PACS, consolidation of components\xe2\x80\x99 physical access\n       systems into PACS, or the maintenance of PACS.\n\n       Logical access costs are not covered in the $22 million FY 2011\n       budget estimate even though logical access capability is expected\n       to be implemented in the first quarter of FY 2011. Additionally,\n       the cost of work to ensure that existing component infrastructures\n       are interoperable with Headquarters PACS is not included in the\n       FY 2011 budget estimate.\n\n       DHS\xe2\x80\x99 department-wide cost estimates for FYs 2010 and 2011 are\n       based on the costs associated with PIV card issuance, not the\n       department-wide implementation of HSPD-12. Costs for\n       infrastructure and system upgrades associated with interoperability\n       issues have not been considered, and these issues may take many\n       years to address.\n\n       HSPD-12 Performance Measures Have Not Been Established\n\n       Quantifiable performance measures have not been developed to\n       provide an overview of how DHS will meet its anticipated\n       September 30, 2011, HSPD-12 implementation deadline. Since\n       DHS\xe2\x80\x99 HSPD-12 PMO has not yet revised its implementation or\n       deployment plan milestones, it is unable to determine the overall\n       progress the department has made in implementing HSPD-12.\n\n       Performance measurement indicates what a program is\n       accomplishing and whether results are being achieved. In addition,\n       it helps management by providing information on how resources\n       and efforts should be allocated to ensure effectiveness. OMB\n       requires each agency to prepare an annual performance plan\n       covering each program activity included in the budget of the\n       agency. A performance plan should include the following:\n\n       \xe2\x80\xa2\t Goals that define the level of performance to be achieved by a\n          program activity.\n       \xe2\x80\xa2\t Goals that are objective, quantifiable, and measurable.\n       \xe2\x80\xa2\t Performance indicators to measure or assess the relevant\n          output, service levels, and outcomes of each program activity.\n       \xe2\x80\xa2\t A basis for comparing actual program results with established\n          performance goals.\n\n       The PMO has not completed its plan for department-wide\n       implementation of HSPD-12. The implementation plan should\n\nResource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                             Page 10\n\n\x0c       include milestones and goals that are quantifiable and measurable.\n       In addition, though the PMO has requested that components submit\n       a status of their progress regarding facility upgrades, such as\n       installing and replacing card readers, not all of the components are\n       submitting these reports. The PMO does not have the authority to\n       make the components submit implementation status reports;\n       therefore, the PMO is unable to measure the components\xe2\x80\x99 overall\n       status and readiness for HSPD-12 compliance.\n\n       Conclusion\n\n       DHS\xe2\x80\x99 ability to meet card issuance and regional deployment\n       milestones depends on the availability of staffing and resources.\n       Insufficient funding and resources have, in part, caused the\n       department\xe2\x80\x99s current delays in implementing an effective\n       HSPD-12 program within OMB\xe2\x80\x99s timelines. The PMO, brought\n       under the newly established Identity Management Division in\n       June 2009, could not adequately manage the timely\n       implementation of HSPD-12 because it was not properly funded or\n       staffed.\n\n       Poor planning and program management, a change in the\n       department\xe2\x80\x99s implementation strategy, and insufficient funding and\n       resources have led to significant delays in issuing PIV cards timely\n       and meeting OMB\xe2\x80\x99s deadline for implementing an effective\n       HSPD-12 program. The delayed issuance of DHS PIV cards has\n       limited the department\xe2\x80\x99s ability to enhance and strengthen its\n       overall physical access security process based on credentialing\n       technology. In addition, the delays have affected other parts of the\n       department\xe2\x80\x99s compliance with HSPD-12 and FIPS 201-1,\n       including logical access, and will affect DHS employee and\n       contractor access to other federal buildings. Once implemented, a\n       secure and interoperable HSPD-12 compliant card will provide the\n       attributes of security, authentication, identity verification, trust,\n       and privacy to a commonly accepted identification card for federal\n       employees and contractors.\n\nRecommendations\n       We recommend that DHS\xe2\x80\x99 Chief Security Officer, in conjunction\n       with the Chief Information Officer:\n\n       Recommendation #1: Ensure that the PMO has the staffing and\n       funding necessary to effectively coordinate and oversee the\n       department-wide implementation of HSPD-12.\n\n\nResource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                             Page 11\n\n\x0c       Recommendation #2: Develop a regional implementation plan\n       that includes detailed information about how the PMO will\n       centrally manage the department-wide deployment of its HSPD-12\n       program. The plan should identify milestone dates and define\n       program measures to track HSPD-12 implementation progress.\n\n       Recommendation #3: Discuss and coordinate with OMB on the\n       department\xe2\x80\x99s updated milestones and implementation of HSPD-12\n       requirements.\n\n       Recommendation #4: Estimate the department-wide cost to\n       comply with HSPD-12 and FIPS 201-1 requirements and prioritize\n       the department\xe2\x80\x99s costs to ensure that physical and logical access\n       interoperability requirements will be met. The estimate should\n       cover the funding and other resources necessary to support\n       HSPD-12 over a period of no less than five years.\n\n       Recommendation #5: Identify the facility access points and\n       information systems that will require the use of PIV cards.\n\nManagement Comments and OIG Analysis\n       DHS management concurred with recommendation 1. DHS noted,\n       however, that the implementation of HSPD-12 has always been a\n       priority for department leadership and the Management\n       Directorate. To address the unfunded HSPD-12 mandate,\n       department leadership took the initiative to realign existing\n       resources (fiscal and personnel) from within the Office of the Chief\n       Security Officer (OCSO) to provide funding and contractor\n       support. Furthermore, OCSO is exploring the possibilities of\n       detailing experienced and qualified component employees and an\n       internal reorganization to obtain the necessary staffing. OCSO and\n       the PMO will also work with the DHS Chief Financial Officer to\n       identify a sustainable funding stream.\n\n       OIG Analysis\n\n       We do not agree with DHS\xe2\x80\x99 assertion that HSPD-12 has been a\n       priority. In meetings held with management, DHS officials stated\n       that HSPD-12, an unfunded mandate, was not previously a\n       departmental priority. Therefore, funding was often diverted to\n       higher priority programs, such as security background\n       investigations. We do agree that current management, including\n       the Secretary and Deputy Secretary, support the centrally managed\n       approach and want HSPD-12 to be a priority because it helps\n\n\nResource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                             Page 12\n\n\x0c       create the \xe2\x80\x9cone DHS\xe2\x80\x9d strategy emphasized by unifying\n       components.\n\n       The steps that DHS is taking, and plans to take, begin to satisfy\n       this recommendation. We consider this recommendation resolved;\n       it will remain open until DHS provides documentation to support\n       that all planned corrective actions are completed.\n\n       DHS management concurred with recommendation 2. OCSO has\n       developed a regional implementation plan using a\n       centrally-purchased approach that includes oversight of the\n       components\xe2\x80\x99 implementation of HSPD-12. The plan, which will\n       be finalized by January 30, 2010, will incorporate component input\n       based on their anticipated certification and accreditation (C&A)\n       schedules, as well as milestone dates and program implementation\n       tracking measurements. Component completion of their respective\n       C&A (i.e., Authority to Operate [ATO]) activities is a key\n       dependency for DHS PIV card issuance. The OCSO centrally-\n       purchased approach will use a component task force\n       implementation model for card issuance. The component task\n       force implementation model will rely on component staffing and\n       active participation and management to carry-out their respective\n       PIV issuance responsibilities. PIV card issuance is expected to\n       begin in New York City; Dallas, TX; and Los Angeles, CA in the\n       second quarter of FY 2010.\n\n       OIG Analysis\n\n       We agree that the steps that DHS is taking, and plans to take, begin\n       to satisfy this recommendation. We consider this recommendation\n       resolved; it will remain open until DHS provides documentation to\n       support that all planned corrective actions are completed.\n\n       DHS management concurred with recommendation 3. Personnel\n       from OCSO and OCIO met with OMB officials on\n       November 18, 2009, to provide an update on the status of DHS\n       HSPD-12 implementation. OMB was advised that the anticipated\n       completion date is March 2012. This revised date is based on card\n       issuance completion schedules, enterprise infrastructure progress,\n       and the alignment of DHS efforts with the Federal Identity,\n       Credential, and Access Management Roadmap and\n       Implementation Guidance released on November 10, 2009.\n\n\n\n\nResource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                             Page 13\n\n\x0c       OIG Analysis\n\n       We agree that the steps that DHS is taking, and plans to take, begin\n       to satisfy this recommendation. We consider this recommendation\n       resolved; it will remain open until DHS provides documentation to\n       support that all planned corrective actions are completed.\n\n       DHS management concurred with recommendation 4. OCSO has\n       developed a department-wide cost estimate for PIV deployment in\n       FY 2010 that totals approximately $24 million. Efforts to quantify\n       the totality of DHS HSPD-12 physical and logical access\n       requirements are continuing. Component cost estimates are being\n       consolidated to create a department-wide physical security cost\n       estimate. This effort is scheduled to be completed in April 2010.\n       Concurrent with this effort, the OCIO will develop a\n       comprehensive cost estimate to implement logical access to DHS\n       unclassified networks using HSPD-12 compliant PIV cards. OCIO\n       anticipates completion of this effort by September 30, 2010.\n       Finally, as part of the DHS Capital Planning and Investment\n       Control process, Life Cycle Cost Estimates data developed for the\n       DHS FY 2012 System Engineering Life Cycle planning and the\n       OMB E300s will reflect the totality of the HSPD-12 physical and\n       logical access interoperability requirements.\n\n       OIG Analysis\n\n       We agree that the steps that DHS is taking, and plans to take, begin\n       to satisfy this recommendation. We consider this recommendation\n       resolved; it will remain open until DHS provides documentation to\n       support that all planned corrective actions are completed.\n\n       DHS management concurred with recommendation 5. In\n       coordination with the DHS Physical Security Managers Working\n       Group, the OCSO is consolidating component-provided\n       inventories of physical access control systems and the\n       identification of facility access points. By March 2010, OCSO\n       expects to have a completed physical access control system\n       roadmap. The roadmap will identify and prioritize facility access\n       points, requirements, and identify the time-phase adaptation of\n       legacy physical security environments to PIV-enabled and\n       compatible environments. FIPS 201 compliant readers are\n       currently being tested at locations around the Nebraska Avenue\n       Complex (NAC). In particular, all employees entering the front\n       gate of the NAC are required to use the PIV 201 reader. OCIO is\n       reviewing all DHS information systems and will develop a\n\n\nResource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                             Page 14\n\n\x0c                          comprehensive list of candidate systems for mandatory HSPD-12\n                          PIV card access by September 30, 2010.\n\n                          OIG Analysis\n\n                          We agree that the steps that DHS is taking, and plans to take, begin\n                          to satisfy this recommendation. We consider this recommendation\n                          resolved; it will remain open until DHS provides documentation to\n                          support that all planned corrective actions are completed.\n\n        System, Account Management, and Physical Security Controls\n        Are Not Effective\n                 IDMS is DHS\xe2\x80\x99 contractor-developed and managed technical solution for\n                 PIV card issuance.9 In September 2007, this solution received GSA\n                 approval as a FIPS 201 compliant card issuance system for identity\n                 proofing, records management, and credentialing of PIV smartcards. The\n                 contractor is responsible for maintaining the security over the system,\n                 including the IDMS database and card issuance workstations, training, and\n                 support. DHS\xe2\x80\x99 OCIO is currently overseeing the second option year of a\n                 five-year contract.\n\n                 Headquarters PACS is an automated legacy system that DHS inherited\n                 from the Department of the Navy that manages PIV cardholder records\n                 and controls an individual\xe2\x80\x99s physical access to federally controlled\n                 Headquarters facilities, such as the NAC, through the use of card readers\n                 and applicable software. Card readers \xe2\x80\x94 electronic devices that supply\n                 power to and communicate with PACS and the PIV card \xe2\x80\x94 enable\n                 cardholders to be authenticated and communicate with the access control\n                 application.\n\n                 We evaluated the physical and logical security controls implemented to\n                 determine whether they were effective in protecting the data collected and\n                 stored, including personally identifiable information (PII). We performed\n                 vulnerability testing of the IDMS database, web application, and server;\n                 government furnished equipment (GFE) at the contractor\xe2\x80\x99s Miami, FL,\n                 location and Headquarters enrollment centers; card issuance workstations\n                 located at Headquarters and CBP; and a kiosk located at the NAC. We\n                 also determined whether IDMS and PACS have been certified and\n                 accredited. In addition, we ran queries on the IDMS and PACS data to\n                 determine whether adequate account management and PIV card access\n                 controls have been implemented to restrict and control access to sensitive\n\n9\n  As documented in our 2007 report, the Identification and Credential Issuing Station and System (ICISS)\nwas the predecessor to IDMS. Because ICISS could not be used to produce large quantities of PIV cards in\na production environment, DHS sent out a proposal for a technical solution capable of meeting DHS\xe2\x80\x99 PIV\ncard production requirements. IDMS was the system procured.\n                  Resource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                                                Page 15\n\n\x0cand personal data. Further, we tested a sample of PIV cards that had been\nrevoked to determine whether they still allowed physical access to\nHeadquarters facilities.\n\nOverall, DHS has implemented adequate physical security controls over\nIDMS at the contractor facility in Miami. Physical security evaluations\nconducted at the Network Access Point of the Americas building and\ncontractor headquarters offices in Miami, where the IDMS backup system\nis located, uncovered only a few minor issues. These issues were\naddressed by contractor\xe2\x80\x99s Facility Security Officer while on-site.\nHowever, our evaluations of physical security conducted at Headquarters\ncard issuance and enrollment centers identified several security issues with\nregards to the protection of PIV card stock, PIV cards, and PII.\n\nIDMS was certified and accredited to operate at the contractor\xe2\x80\x99s Miami\nsite in June 2008, until becoming operational at the department\xe2\x80\x99s Stennis\nData Center. The ATO for IDMS at the Stennis Data Center was granted\nin September 2009. Appendix D shows the overall architecture of IDMS\nand accreditation boundaries. Headquarters PACS has not been certified\nor accredited.\n\nNo high or critical system vulnerabilities were identified during our\nvulnerability assessments of the IDMS database, web application, and\nserver. However, system security controls have not been implemented,\nand significant access control and account management security issues\nwere identified.\n\n        Effective Security and Management Controls Have Not Been\n        Implemented\n\n        A federal agency\xe2\x80\x99s success at managing its security requirements is\n        contingent upon its processes for auditing governance, compliance,\n        and use. Because many different users access an agency\xe2\x80\x99s\n        facilities and networks, it is especially challenging for an agency to\n        grant the necessary rights and privileges to each user while still\n        protecting the confidentiality and privacy of its users and data.\n        While privileges granted to PIV cardholders are a local agency\n        decision, the PIV card is a core component to setting the \xe2\x80\x9ctrust\n        model\xe2\x80\x9d across the federal government.\n\n        DHS\xe2\x80\x99 oversight and implementation of security requirements and\n        management controls were not effective. We identified issues\n        surrounding system configuration management, separation of\n        duties, biometric checking, the certification and accreditation of\n        Headquarters PACS, account roles and privileges, and DHS PIV\n        card controls.\n\n Resource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                              Page 16\n\n\x0c       System Security and Management Controls Are Not Enforced\n\n       Our assessment of IDMS identified a number of system security\n       and management issues. We determined that system configuration\n       management is not adequate and a number of security controls\n       have not been implemented to protect personal data collected and\n       processed by IDMS. We identified the following issues:\n\n       \xe2\x80\xa2\t The PMO is not enforcing a separation of duties when granting\n          IDMS administrative account roles. Specifically, the PMO has\n          chosen not to separate the roles of the enrollment official and\n          PIV issuer via a \xe2\x80\x9ctwo-man rule,\xe2\x80\x9d designed to segregate PIV\n          card enrollment and issuer duties. When the two-man rule is\n          implemented, the system would tag administrative account\n          users who have enrolled an applicant and then tried to issue\n          that applicant a PIV card by denying such an action.\n\n           DHS chose not to implement a separation of duties through\n           policy and system controls. Instead, the department\n           implemented a seamless process where an employee visits only\n           a single enrollment official. According to DHS officials, the\n           department took this approach because it did not have enough\n           enrollment staff to separate the roles.\n\n           We identified 38 administrative account users who have both\n           enrollment official and PIV issuer roles, meaning that these\n           individuals have rights to enroll an applicant and issue a PIV\n           card autonomously. Furthermore, 12 administrative account\n           users have DHS PIV sponsor, PIV registrar, enrollment\n           official, and PIV issuer roles. These roles allow them to create\n           a new employee in the system, input card information, and then\n           issue a card autonomously, increasing the risk that fraudulent\n           cards may be produced and issued to unauthorized individuals.\n\n           DHS\xe2\x80\x99 detailed PIV card and issuance roles are defined in\n           Appendix C.\n\n       \xe2\x80\xa2\t Local logs on the Security Enhanced Linux (SELinux) server\n          and GFE are inadequate. Furthermore, local logs are not\n          reviewed on EIWS. Local logs on the EIWS are not protected\n          from unauthorized modification, access, or destruction because\n          users have local administrative privileges through a shared\n          account.\n\n       \xe2\x80\xa2\t Password controls have not been implemented on the SELinux\n          server that holds the IDMS database. In addition, the\n\nResource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                             Page 17\n\n\x0c           maximum password age was set to 99,999 days, while the\n           minimum password age was set to 0 days.\n\n       \xe2\x80\xa2   Required antivirus software was not installed on the EIWS.\n\n       The Federal Identity Management Handbook specifies that the\n       approval authority should make sure that no single individual or\n       role has the capability to issue a card without the participation of\n       another individual; at least two different individuals must\n       participate in the process at all times. A separation of duties is\n       required by the DHS Sensitive Systems Handbook 4300A (DHS\n       4300A), for user access control. As documented in the\n       Department of Homeland Security (DHS) Headquarters Homeland\n       Security Presidential Directive 12 (HSPD-12) Procedures\n       Reference Book, the DHS PIV sponsor should not be the PIV\n       registrar or PIV issuer for the applicant.\n\n       Under DHS 4300A, configuration management controls must be\n       established, implemented, and enforced on all information\n       technology (IT) systems and networks. Logs (audit records)\n       should contain enough detail to reconstruct an incident; logs are to\n       be protected from unauthorized access, modification, and\n       destruction. Furthermore, DHS policy requires the establishment\n       and enforcement of virus protection control policies, which include\n       the configuration and installation of antivirus software on servers.\n       According to the DHS Linux Secure Baseline Configuration Guide\n       (SBCG), a minimum password age should be set to seven days,\n       and maximum password age should be set to 90 days.\n\n       DHS Is Not Performing Required Biometric Checks\n\n       DHS is not performing biometric checks during card registration\n       and issuance. FIPS 201-1 requires that a full set of fingerprints be\n       collected and compared with law enforcement data for biometric\n       verification during the identity proofing and registration process.\n       DHS has not been performing biometric checks during enrollment.\n       DHS plans to leverage the department\xe2\x80\x99s United States Visitor and\n       Immigrant Status Indicator Technology system for biometric\n       checks, but did not provide a timeframe for implementing the\n       process to perform these checks. Identity proofing cannot be fully\n       completed when fingerprint data is not compared with law\n       enforcement data.\n\n\n\n\nResource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                             Page 18\n\n\x0c       Headquarters PACS Has Not Been Certified and Accredited\n\n       Headquarters PACS is listed as in the \xe2\x80\x9cdevelopment\xe2\x80\x9d stage of the\n       system development life cycle in Trusted Agent FISMA (TAF).\n       However, PACS has been operational since November 2003 at the\n       NAC, and used throughout the National Capital Region since\n       April 2005. Therefore, PACS should be listed as an operational\n       system, and certified and accredited to comply with DHS\n       requirements implemented under the Federal Information Security\n       Management Act (FISMA).\n\n       Headquarters PACS has not been certified and accredited.\n       Accreditation is a formal declaration by a Designated Approving\n       Authority that an information system is approved to operate in a\n       particular security mode using a prescribed set of safeguards at an\n       acceptable level of risk. To implement FISMA requirements, DHS\n       requires system certification and accreditation prior to a system\n       being operational.\n\n       Additionally, operational systems are to be listed in an agency\xe2\x80\x99s\n       inventory according to OMB\xe2\x80\x99s FISMA reporting guidance. At\n       DHS, systems that are in development in TAF are not counted\n       toward system inventory. Because PACS should be listed as an\n       operational system, DHS\xe2\x80\x99 system inventory is being underreported\n       per OMB's FISMA reporting guidance.\n\n       Account and PIV Card Management Controls Have Not Been\n       Defined\n\n       IDMS is composed of applications used to manage the identity\n       verification, validation, and issuance processes to produce the\n       department\xe2\x80\x99s PIV cards. The IDMS database contains records of\n       all smartcards issued to employees and contractors, as well as their\n       status. Much of this same sensitive information is contained in\n       Headquarters PACS.\n\n       The activation and deactivation of DHS PIV cards in PACS is a\n       manual process. Manual procedures are required because there is\n       currently no electronic interface between the two databases. Once\n       a card is issued via IDMS, cards must be activated in PACS to\n       allow DHS Headquarters employees and contractors physical\n       access to federally controlled facilities. Cards revoked in IDMS\n       must be deactivated in PACS. The card issuance process is shown\n       in Appendix E.\n\n\n\nResource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                             Page 19\n\n\x0c       We performed detailed queries of IDMS to determine whether the\n       administrative account access privileges to system data were\n       properly controlled. Also, because the activation and deactivation\n       of DHS PIV cards in PACS is a manual process, we compared card\n       data in IDMS with Headquarters PACS data to determine whether\n       the card status was updated properly in both systems. The results\n       of our analysis showed:\n\n       \xe2\x80\xa2\t There are many unused and unaccounted for test accounts and\n          cards currently active in IDMS. We also identified three user\n          account roles \xe2\x80\x94 Applicant, Adjudicator, and Activator \xe2\x80\x94 that\n          were assigned to 121 user accounts, but can no longer be used\n          or granted to system users. Unused account roles should be\n          deleted to prevent accidental or lingering access rights.\n          According to DHS 4300A, unused user identifications should\n          be disabled after 45 days of inactivity.\n\n       \xe2\x80\xa2\t There may be an excessive number of individuals with account\n          access to the IDMS database and system audit logs. Our\n          analysis identified 11 \xe2\x80\x9csu,\xe2\x80\x9d or \xe2\x80\x9csuper user,\xe2\x80\x9d accounts, which\n          grant full access to the IDMS database, and 18 Information\n          System Security Officer (ISSO) accounts in IDMS, which\n          allow the user to view and monitor system logs. The principle\n          of least privilege must be implemented under DHS policy, and\n          access to system logs should be restricted.\n\n           According to DHS 4300A, the principle of least privilege must\n           be applied to protect sensitive information and limit the\n           damage that can result from accident, error, or unauthorized\n           use. The principle of least privilege requires that users be\n           granted the most restrictive set of privileges or lowest\n           clearance needed to perform their authorized tasks. Users\n           should be able to access only the system resources needed to\n           fulfill their job responsibilities. The application of the least\n           privilege principle ensures that access to sensitive information\n           is granted only to those users with a valid need to know. Audit\n           records and audit logs are to be protected from unauthorized\n           modification, access, or destruction.\n\n       \xe2\x80\xa2\t Though the IDMS web application/database is compliant with\n          DHS 4300A, we identified three web application accounts that\n          were not assigned to specific individuals. Two were system\n          accounts, used to initially set up the system and create\n          administrative accounts; both of these accounts can no longer\n          be used to access any information or establish new accounts.\n          The third was a temporary test account that was never deleted.\n\nResource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                             Page 20\n\n\x0c           Accounts that are not in use or have never been used should be\n           deleted from the IDMS database.\n\n       \xe2\x80\xa2\t All IDMS EIWS users share one local administrator account.\n          The shared account allows users more control of the system\n          and limits the need for administrative personnel site visits to fix\n          common issues, such as user account lockout. However, under\n          DHS 4300A, shared accounts (i.e., such as group\n          identifications and passwords) should be limited to operational\n          necessity and must be approved by the appropriate Designated\n          Approval Authority.\n\n       \xe2\x80\xa2\t The manual card deactivation process in use at DHS has led to\n          inconsistencies between the IDMS and Headquarters PACS\n          databases. Forty of the 1,539 deactivated cards, or 2.6%, were\n          deactivated in IDMS but incorrectly left active in PACS.\n          When physical access rights are still activated on a card, an\n          individual may gain unauthorized access to DHS Headquarters\n          facilities and areas.\n\n       \xe2\x80\xa2\t The contractor is not properly obtaining DHS permission to\n          create or alter IDMS accounts. Although account management\n          procedures have not been clearly defined, according to the\n          IDMS System Security Plan, the contractor is to request\n          permission to create or alter an account by sending an e-mail to\n          either the HSPD-12 Program Manager or IT Lead. Once\n          permission is granted, via another e-mail, contractor personnel\n          can create or alter an account. Based on discussions with DHS\n          and contractor personnel, permissions to create or alter IDMS\n          accounts are usually requested in person or by phone. E-mails\n          are not being sent to properly request permission as specified in\n          the IDMS System Security Plan.\n\n       The need for formal procedures for properly creating, altering, and\n       deleting accounts, and the informal creation of test records and\n       accounts by contractor and DHS personnel, has led to a number of\n       unused and unaccounted for card records in IDMS. The IDMS\n       System Security Plan provides informal procedures for PIV cards\n       and system access controls, but these procedures are not being\n       followed by the contractor or enrollment officials, nor are they\n       being enforced by the PMO. Because there is no electronic\n       interface between IDMS and Headquarters PACS, the manual\n       process used to update cards access privileges, activation, and\n       deactivation, has led to inconsistencies between the two databases.\n\n\n\nResource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                             Page 21\n\n\x0c       Authorized Signatory Agents Have Not Been Identified\n\n       The Office of Security\xe2\x80\x99s Headquarters Access Control Office\n       (ACO) does not verify that an authorized signatory agent, or a\n       person with the authority to grant an applicant\xe2\x80\x99s request for a DHS\n       PIV card, signed an applicant\xe2\x80\x99s Access Control Card Request Form\n       (DHS 11000-14). As long as Form 11000-14 is signed by a\n       Special Security Officer (SSO), the ACO does not confirm whether\n       the person that signed the applicant\xe2\x80\x99s form is authorized to approve\n       an applicant\xe2\x80\x99s request.\n\n       The Headquarters ACO requires that each directorate submit a\n       Signatory Authority Form every six months with the names of\n       individuals authorized to sign off on the clearance portion of the\n       Access Control Card Request Form. The ACO, however, has not\n       developed a list of authorized signatory agents that are allowed to\n       approve an applicant\xe2\x80\x99s DHS 11000-14 form or instituted\n       verification procedures to ensure that forms are signed by\n       authorized individuals.\n\n       Based on the Office of Security\xe2\x80\x99s Standard Operating Procedure,\n       SSOs must sign all DHS 11000-14 forms for processing.\n       However, according to the Headquarters ACO Branch Chief, SSOs\n       only need to sign 11000-14 forms only for employees requiring a\n       Top Secret/Sensitive Compartmented Information (TS/SCI)\n       clearance. The SSO\xe2\x80\x99s signature is not necessary for applicants\n       with other security clearance levels. It is unclear when an SSO is\n       required to sign an applicant\xe2\x80\x99s DHS 11000-14 form.\n\n       Without a list of authorized signatory agents or clear standard\n       operating procedures, there is an increased risk that unauthorized\n       individuals may be approving applicants\xe2\x80\x99 forms and clearance\n       information. Thereby, PIV issuers may be granting physical\n       access to federally controlled facilities and areas containing\n       TS/SCI and other classified information to individuals that may not\n       need access.\n\n       Revoked PIV Cards Are Not Properly Tracked or Deactivated\n\n       ACO specialists at Headquarters enrollment centers are not\n       properly tracking revoked or surrendered DHS PIV cards to ensure\n       that the cards are promptly returned to the NAC ACO for physical\n       destruction. According to the Department of Homeland Security\n       (DHS) Headquarters Homeland Security Presidential Directive 12\n       (HSPD-12) Procedures Reference Book, a DHS PIV cardholder's\n       supervisor is to notify the ACO when the cardholder no longer\n\nResource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                             Page 22\n\n\x0c       requires access to DHS facilities. Once the card has been received,\n       the Headquarters ACO should promptly destroy the PIV card by\n       shredding it and create a destruction report for the card.\n\n       The Headquarters ACO maintains a log of destroyed PIV cards.\n       The destruction log includes the badge number, reason for\n       destroying the card, date destroyed, the name of the individual who\n       destroyed the card, and the name of a witness. However, the\n       Headquarters ACO Branch Chief has not updated the destruction\n       log on a regular basis. For example, when we requested the most\n       recent destruction log on July 23, 2009, the ACO Branch Chief\n       provided us with one dated March 23, 2009, as the most recent.\n\n       Also, ACO specialists are not deactivating DHS PIV cards in\n       IDMS and Headquarters PACS in a timely manner. In testing a\n       sample of 10 PIV cards having a status of \xe2\x80\x9crevoked\xe2\x80\x9d in IDMS, but\n       not yet destroyed, 1 of the 10 revoked PIV cards still allowed\n       physical access to Headquarters\xe2\x80\x99 1120 Vermont Avenue facility.\n       This card was still \xe2\x80\x9cactive\xe2\x80\x9d in PACS. Additionally, though the\n       cards obtained had a \xe2\x80\x9crevoked\xe2\x80\x9d status in IDMS, 4 of the 10 cards\n       still have active certifications in IDMS.\n\n       We discussed our concerns with the Headquarters ACO Branch\n       Chief. The Branch Chief has since taken steps to implement a new\n       process at the 7th & D and NAC ACOs to ensure that all\n       certifications are deactivated in IDMS, and the Headquarters\n       PACS status is promptly deactivated. However, even with the new\n       process in place, the security of DHS facilities, systems, and\n       sensitive data may be compromised until there is an electronic\n       interface between IDMS and PACS. This electronic interface\n       would link IDMS and PACS so that any changes in one database\n       would be reflected in the other in real-time, thereby reducing the\n       risks associated with the current manual deactivation process.\n\n       Physical Security at Headquarters Needs Improvement\n\n       Our physical security evaluations conducted at two Headquarters\n       ACOs exposed several issues with regard to the security of\n       processing PIV cards and the protection of PII. At one ACO, our\n       review uncovered that 11000-14 Identification Access Control\n       Card Request forms that contain employee/contractor PII are\n       stored in unlocked filing cabinets.\n\n       At the other ACO, blank PIV cards, 11000-14 forms, and cards\n       that need to be destroyed are not being secured. Blank PIV cards\n       and 11000-14 forms are stored in unlocked desk drawers at EIWS.\n\nResource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                             Page 23\n\n\x0c       At the end of the workday, the enrollment officials consolidate all\n       paper 11000-14 forms into a single folder and place the folder on\n       top of a filing cabinet in the ACO; the folder containing the forms\n       is not secured in any way. When a PIV card is surrendered, an\n       enrollment official punches the PIV card chip out and stores the\n       card in an EIWS desk drawer. Punching the PIV card chip out\n       does not disable the magnetic strip, which stores a cardholder\xe2\x80\x99s\n       physical access rights to Headquarters facilities.\n\n       According to the Department of Homeland Security (DHS)\n       Headquarters Homeland Security Presidential Directive 12\n       (HSPD-12) Procedures Reference Book, the designated card\n       custodian is responsible for storing card stock in a secure facility.\n       The designated card custodian is also responsible for storing used,\n       revoked, and defective PIV cards in a secure location until\n       destruction. According to the Federal Identity Management\n       Handbook, agencies should establish a business process and secure\n       delivery method for all PIV-related documents. Regardless of the\n       business process implemented by the agency, the process should be\n       auditable and secure and should protect the applicant\xe2\x80\x99s PII.\n\nRecommendations\n       We recommend that DHS\xe2\x80\x99 Chief Security Officer, in conjunction\n       with the Chief Information Officer:\n\n       Recommendation #6: Address the configuration, card\n       management, and user account issues identified according to\n       HSPD-12 and DHS policy.\n\n       Recommendation #7: Develop a configuration management\n       policy conducive to the department-wide deployment of EIWS at\n       enrollment centers.\n\n       Recommendation #8: Develop formal procedures for creating\n       IDMS accounts and roles, and the privileges associated with those\n       accounts and roles.\n\n       Recommendation #9: Define account and PIV card management\n       controls, procedures, and a process for ensuring that controls have\n       been implemented.\n\n       Recommendation #10: Reconcile IDMS records with\n       Headquarters PACS records to identify inconsistencies and ensure\n       the accuracy of both databases.\n\n\nResource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                             Page 24\n\n\x0c       Recommendation #11: Ensure that PACS is certified and\n       accredited according to DHS policy under FISMA.\n\n       Recommendation #12: Define uniform, auditable policies and\n       procedures that will clearly define when and how access controls\n       should be properly granted and disabled, including card revocation,\n       suspension, and destruction. These procedures should be\n       established for all enrollment centers and implemented in all ACOs.\n\n       Recommendation #13: Establish an authorized signatory agent\n       list and develop a procedure to verify signatures on DHS 11000-14\n       forms to ensure that only authorized individuals are signing DHS\n       11000-14 forms.\n\n       Recommendation #14: Develop detailed, uniform procedures that\n       require enrollment center personnel to secure blank PIV cards,\n       11000-14 forms, and surrendered PIV cards containing PII while\n       stored at the ACOs.\n\n       Recommendation #15: Implement procedures for evaluating\n       physical security at ACOs and enrollment centers to ensure that PII\n       is properly protected.\n\nManagement Comments and OIG Analysis\n       DHS management concurred with recommendation 6. The DHS\n       HSPD-12 Procedures Reference Book will be revised by\n       January 30, 2010, to incorporate new and additional policies,\n       processes, and procedures, and system functionality, including\n       configuration, card management, and user account issues. The\n       revised reference book will also reflect system modifications and\n       enhancements that have been made as a result of receiving ATO on\n       September 11, 2009. As appropriate, this information will be\n       incorporated into enrollment center training that will be provided\n       to DHS PIV enrollment officials and ACO employees. Training\n       requirements will also be included in solicitations that support\n       nationwide deployment requirements.\n\n       OIG Analysis\n\n       We agree that the steps that DHS is taking, and plans to take, begin\n       to satisfy this recommendation. We consider this recommendation\n       resolved; it will remain open until DHS provides documentation to\n       support that all planned corrective actions are completed.\n\n\n\nResource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                             Page 25\n\n\x0c       DHS management concurred with recommendation 7. By\n       January 30, 2010, the DHS HSPD-12 Procedures Reference Book\n       will be revised to address the specific configuration management\n       issues associated with department-wide deployment of the EIWS.\n       Additionally, the reference book will updated to reflect feedback\n       from the system\xe2\x80\x99s recent C&A process. As appropriate, this\n       information will be incorporated into enrollment center training.\n\n       OIG Analysis\n\n       We agree that the steps that DHS is taking, and plans to take, begin\n       to satisfy this recommendation. We consider this recommendation\n       resolved; it will remain open until DHS provides documentation to\n       support that all planned corrective actions are completed.\n\n       DHS management concurred with recommendation 8. By\n       January 30, 2010, OCSO will update Section 2.0, Roles and\n       Responsibilities of the DHS HSPD-12 Procedures Reference Book,\n       to address the procedures for creating IDMS accounts and roles,\n       and the privileges associated with those accounts and roles. As\n       appropriate, this information will be incorporated into enrollment\n       center training and audited by the PMO staff to ensure compliance.\n\n       OIG Analysis\n\n       We agree that the steps that DHS is taking, and plans to take, begin\n       to satisfy this recommendation. We consider this recommendation\n       resolved; it will remain open until DHS provides documentation to\n       support that all planned corrective actions are completed.\n\n       DHS management concurred with recommendation 9. By\n       January 30, 2010, OCSO will update Section 3.4, DHS PIV Card\n       Issuance, Re-Issuance, and Renewal of the DHS HSPD-12\n       Procedures Reference Book, to define account and PIV card\n       management controls, procedures, and a process for ensuring that\n       controls have been implemented. As appropriate, this information\n       will be incorporated into enrollment center training and audited to\n       help ensure compliance.\n\n       OIG Analysis\n\n       We agree that the steps that DHS is taking, and plans to take, begin\n       to satisfy this recommendation. We consider this recommendation\n       resolved; it will remain open until DHS provides documentation to\n       support that all planned corrective actions are completed.\n\n\nResource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                             Page 26\n\n\x0c       DHS management concurred with recommendation 10. OCSO is\n       establishing a methodology for reconciling daily Headquarters PIV\n       card revocation reports from IDMS against activity in\n       Headquarters PACS. The DHS Headquarters PACS interface is\n       the first of its kind in the department and is therefore being used to\n       define component requirements and technical integration\n       requirements. Moreover, the Physical Security Manager\xe2\x80\x99s\n       Working Group for PIV integration is documenting the common\n       business processes and requirements that will form the basis for\n       common department-wide standards and a sustainable\n       enterprise-based technical solution.\n\n       OIG Analysis\n\n       We agree that the steps that DHS is taking, and plans to take, begin\n       to satisfy this recommendation. We consider this recommendation\n       resolved; it will remain open until DHS provides documentation to\n       support that all planned corrective actions are completed.\n\n       DHS management concurred with recommendation 11. The PACS\n       C&A process is underway and is scheduled for completion by the\n       second quarter of FY 2010.\n\n       OIG Analysis\n\n       We agree that the steps that DHS is taking, and plans to take, begin\n       to satisfy this recommendation. We consider this recommendation\n       resolved; it will remain open until DHS provides documentation to\n       support that all planned corrective actions are completed.\n\n       DHS management concurred with recommendation 12. By\n       January 30, 2010, OCSO will update Section 3.0 Procedures of the\n       DHS HSPD-12 Procedures Reference Book, to define uniform,\n       auditable policies and procedures for granting, disabling, card\n       revocation, suspension, and destruction. Additionally, the Physical\n       Security Manager\xe2\x80\x99s Working Group for PIV integration is\n       documenting the common business processes and requirements\n       that will further define standard policies and procedures for\n       enrollments centers and ACOs.\n\n       OIG Analysis\n\n       We agree that the steps that DHS is taking, and plans to take, begin\n       to satisfy this recommendation. We consider this recommendation\n       resolved; it will remain open until DHS provides documentation to\n       support that all planned corrective actions are completed.\n\nResource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                             Page 27\n\n\x0c       DHS management concurred with recommendation 13. The DHS\n       OCSO ACO established a signatory agent list procedure in\n       June 2005. In mid-2008, DHS Headquarters began exchanging\n       legacy access control cards for HSPD-12 compliant PIV cards. To\n       facilitate the issuance of the PIV card, the use of the signatory\n       agent list was temporarily suspended for only those personnel who\n       presented an unexpired legacy card. However, new employees and\n       those that held a legacy access control card that was expired or\n       lost, were still required to get an approved signatory authority\xe2\x80\x99s\n       signature on the 11000-14. During the legacy card exchange\n       period, signatory authority lists were periodically updated. The\n       requirement for a properly signed DHS Form 11000-14 was\n       reinstituted in October 2009, for all card issuance. OCSO will\n       update the ACO\xe2\x80\x99s standard operating procedures and incorporate\n       the updates into enrollment center and ACO training. The\n       requirement is already included in the DHS HSPD-12 Procedures\n       Reference Book, Section 3.3, Adjudication and On-Boarding\n       Determination.\n\n       OIG Analysis\n\n       We agree that the steps that DHS is taking, and plans to take, begin\n       to satisfy this recommendation. We consider this recommendation\n       resolved; it will remain open until DHS provides documentation to\n       support that all planned corrective actions are completed.\n\n       DHS management concurred with recommendation 14. By\n       January 30, 2010, Section 3.0 of the DHS HSPD-12 Procedures\n       Reference Book will be updated to more fully address the\n       identification and protection of PII and to provide procedures for\n       securing blank/surrendered PIV cards. OCSO will also reinforce\n       current standard operating procedures and ensure enrollment center\n       and ACO personnel are appropriately trained. When updating the\n       reference book, standard operating procedures, and training, OCSO\n       will refer to applicable DHS guidance, OMB Memorandum\n       M-07-16, Safeguarding Against and Responding to the Breach of\n       Personally Identifiable Information, and the Federal Identity,\n       Credential, and Access Management Roadmap and\n       Implementation Guidance.\n\n       OIG Analysis\n\n       We agree that the steps that DHS is taking, and plans to take, begin\n       to satisfy this recommendation. We consider this recommendation\n       resolved; it will remain open until DHS provides documentation to\n       support that all planned corrective actions are completed.\n\nResource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                             Page 28\n\n\x0c       DHS management concurred with recommendation 15. OCSO is\n       strengthening existing standard operating procedures and training\n       requirements associated with the physical security at ACOs.\n       Storage containers, locks, and when applicable, alarms will be\n       utilized at ACO locations. Furthermore, the DHS HSPD-12\n       Procedures Reference Book will be revised to more fully address\n       physical security at the ACOs and the identification and protection\n       of PII.\n\n       OIG Analysis\n\n       We agree that the steps that DHS is taking, and plans to take, begin\n       to satisfy this recommendation. We consider this recommendation\n       resolved; it will remain open until DHS provides documentation to\n       support that all planned corrective actions are completed.\n\n\n\n\nResource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                             Page 29\n\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n            The objective of our audit was to determine whether DHS is meeting\n            HSPD-12 implementation requirements and completing actions to address\n            our prior audit recommendations. We determined whether DHS (1)\n            adequately addressed HSPD-12 requirements in its implementation plan\n            and process, (2) has implemented effective physical and system security\n            controls to protect the privacy of personal data collected and processed by\n            IDMS, and (3) completed system documentation in compliance with\n            FISMA requirements.\n\n            Our audit focused on the requirements outlined in HSPD-12, Policy for a\n            Common Identification Standard for Federal Employees and Contractors;\n            OMB M-05-24, Implementation of Homeland Security Presidential\n            Directive (HSPD) 12 \xe2\x80\x93 Policy for a Common Identification Standard for\n            Federal Employees and Contractors; and FIPS 201-1, Personal Identity\n            Verification (PIV) of Federal Employees and Contractors. In addition, we\n            reviewed the Federal Identity Management Handbook; Department of\n            Homeland Security (DHS) Headquarters Homeland Security Presidential\n            Directive 12 (HSPD-12) Procedures Reference Book; National Institute of\n            Standards and Technology Special Publication (NIST SP) 800-53,\n            Recommended Security Controls for Federal Information Systems; NIST\n            SP 800-79-1, Guidelines for the Accreditation of Personal Identity\n            Verification Card Issuers; DHS Sensitive Systems Handbook 4300A; DHS\n            Windows SBCG; DHS Linux SBGG; and DHS Oracle SBCG.\n\n            We interviewed management personnel in the Office of Security and\n            OCIO. In addition, we interviewed the HSPD-12 Program Manager,\n            personnel from the Headquarters ACO, and contractor personnel,\n            including the system administrators and the Facility Security Officer.\n            Further, we interviewed Office of Inspector General security personnel\n            and personnel from GSA\xe2\x80\x99s Managed Services Office.\n\n            We evaluated DHS\xe2\x80\x99 HSPD-12 implementation plan, deployment process,\n            and compliance with milestone dates. We conducted physical security\n            evaluations of the contractor\xe2\x80\x99s facilities in Miami, FL, and the ACOs\n            located in the Washington, DC, area. We also tested a sample of revoked\n            PIV cards to determine whether they still allowed physical access to\n            Headquarters facilities.\n\n            In addition, we performed detailed system security vulnerability\n            assessments of the IDMS database, web application, and server; GFE at\n            the contractor\xe2\x80\x99s Miami, FL, location and Headquarters enrollment centers;\n            card issuance workstations located at Headquarters and CBP; and a kiosk\n            located at the NAC. We excluded system security vulnerability testing of\n            Headquarters PACS and an evaluation of the Virtual Private Network\n            connection at the Stennis Data Center from our audit scope.\n\n             Resource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                                          Page 30\n\n\x0cAppendix A\nPurpose, Scope, and Methodology\n\n            We verified account management controls and performed analytical\n            queries of data contained in IDMS and Headquarters PACS. Furthermore,\n            we analyzed certification and accreditation documentation for the IDMS\n            and PACS systems. We followed up on prior recommendations made in\n            our October 2007 report, Progress Has Been Made But More Work\n            Remains in Meeting Homeland Security Presidential Directive 12\n            Requirements (OIG-08-01).\n\n            We conducted our fieldwork at DHS\xe2\x80\x99 Headquarters offices in the\n            Washington, DC, metropolitan area and at contractor facilities in Miami,\n            FL. Fieldwork was completed between June and October 2009 under the\n            authority of the Inspector General Act of 1978, as amended, and according\n            to generally accepted government auditing standards. Major OIG\n            contributors to the audit are identified in Appendix F.\n\n            The principal OIG points of contact for the audit are\n            Frank W. Deffer, Assistant Inspector General, IT Audits, at\n            (202) 254-4100, and Edward G. Coleman, Director, Information Security\n            Audit Division, at (202) 254 5444.\n\n\n\n\n             Resource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                                          Page 31\n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n             Resource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                                          Page 32\n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n             Resource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                                          Page 33\n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n             Resource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                                          Page 34\n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n             Resource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                                          Page 35\n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n             Resource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                                          Page 36\n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n             Resource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                                          Page 37\n\n\x0cAppendix B\nManagement Comments to the Draft Report\n\n\n\n\n             Resource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                                          Page 38\n\n\x0cAppendix C\nDHS PIV Card and Issuance Roles\n\n\n                        DHS PIV Card and Issuance Roles\n\n         \xe2\x80\xa2\t Applicant \xe2\x80\x93 The individual applying for a DHS PIV card. The applicant\n            must be a current or prospective federal hire, federal employee, or\n            contractor.\n\n         \xe2\x80\xa2\t DHS PIV Sponsor \xe2\x80\x93 The individual responsible for administering the on-\n            boarding for DHS Headquarters\xe2\x80\x99 new employees or contractors and\n            initiating the identity vetting process. The sponsor is responsible for\n            verifying that an individual should be obtaining a DHS PIV card, select\n            the necessary system checks, and mark the sponsorship as approved.\n            When new employees applying for a PIV card have not yet been entered\n            into the Personnel Security Division\xe2\x80\x99s Integrated Security Management\n            System, the sponsor has the ability to create a new record for the employee\n            in the system. The sponsor, however, still needs to carry out the other\n            responsibilities associated with the role prior to approving sponsorship.\n\n         \xe2\x80\xa2\t Authorized Signatory Agent \xe2\x80\x93 The individual authorized by a DHS\n            directorate to approve the issuance of a DHS PIV card to an applicant.\n\n         \xe2\x80\xa2\t PIV Registrar \xe2\x80\x93 The Personnel Security Division\xe2\x80\x99s Entry-on-Duty\n            Adjudication team lead or the federal designee who makes the final\n            determination for the applicant to proceed to DHS PIV card issuance. The\n            registrar is responsible for the adjudication of background investigations\n            and the Federal Bureau of Investigation check.\n\n         \xe2\x80\xa2\t Enrollment Official \xe2\x80\x93 The individual who initiates the chain of trust for\n            identity proofing and provides trusted services to confirm employer\n            sponsorship, bind the applicant to their biometric, and validate the identity\n            source documentation. This official is responsible for obtaining an\n            applicant\xe2\x80\x99s fingerprints, scanning identity documents, and capturing a\n            photo of the applicant during the enrollment process.\n\n         \xe2\x80\xa2\t PIV Issuer \xe2\x80\x93 An authorized identity card creator that procures\n            FIPS-approved blank identity cards, initializes them with the appropriate\n            software and data elements for the requested identity verification and\n            access control application, personalizes the cards with the identity\n            credentials of authorized individuals, and delivers personalized cards to\n            these individuals, along with appropriate instructions for protection and\n            use. The issuer is responsible for printing, encoding, and activating the\n            PIV card.\n\n\n\n\n              Resource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                                           Page 39\n\n\x0cAppendix D\nCurrent IDMS Architecture\n\n\n                            Current IDMS Architecture\n\n\n\n\n             Resource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12\n\n                                          Page 40\n\x0cAppendix E\nDHS PIV Card Issuance Process\n\n\n                        DHS PIV Card Issuance Process\n\n\n\n\n             Resource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12\n\n                                          Page 41\n\x0cAppendix F\nMajor Contributors to this Report\n\n\n                     Information Security Audit Division\n\n                     Edward Coleman, Director\n                     Barbara Bartuska, IT Audit Manager\n                     Mike Horton, IT Officer\n                     Charles Twitty, IT Auditor/Team Lead\n                     Bridget Glazier, IT Auditor\n                     Amanda Strickler, IT Specialist\n                     Tom Rohrback, IT Specialist\n                     David Bunning, IT Specialist\n                     Joseph Landas, Program and Management Clerk\n                     Lauren Badley, Program and Management Clerk\n\n                     Craig Adelman, Referencer\n\n\n\n\n              Resource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                                           Page 42\n\n\x0cAppendix G\nReport Distribution\n\n                      Department of Homeland Security\n\n                      Secretary\n                      Deputy Secretary\n                      Chief of Staff for Operations\n                      Chief of Staff for Policy\n                      Deputy Chiefs of Staff\n                      General Counsel\n                      Executive Secretariat\n                      Director, GAO/OIG Liaison Office\n                      Assistant Secretary for Office of Policy\n                      Chief Security Officer\n                      Deputy Chief Security Officer\n                      Chief Information Officer\n                      Chief Information Security Officer\n                      Director, Compliance and Oversight Program\n                      Chief, Identity Management Division\n                      Chief Technology Officer, OCIO\n                      Executive Director, IT Services Office (ITSO)\n                      Deputy Director, Headquarters Services Division\n                      Information System Security Manger, ITSO, Headquarters\n                      Services Division\n                      Information System Security Officer, OCIO\n                      Audit Liaison, OCIO\n                      Director, OIG Information Security Audit Division\n                      IT Audit Manager, OIG Information Security Audit Division\n\n                      Office of Management and Budget\n\n                      Chief, Homeland Security Branch\n                      DHS OIG Budget Examiner\n\n                      Congress\n\n                      Congressional Oversight and Appropriations Committees, as\n                      appropriate\n\n\n\n\n              Resource and Security Issues Hinder DHS\xe2\x80\x99 Implementation of HSPD-12 \n\n\n                                           Page 43\n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General (OIG) at (202) 254-4100,\nfax your request to (202) 254-4305, or visit the OIG web site at www.dhs.gov/oig.\n\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal or noncriminal\nmisconduct relative to department programs or operations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603;\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202) 254-4292;\n\n\xe2\x80\xa2 Email us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n       DHS Office of Inspector General/MAIL STOP 2600,\n       Attention: Office of Investigations - Hotline,\n       245 Murray Drive, SW, Building 410,\n       Washington, DC 20528.\n\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c"